From owner-freebsd-security  Tue Jul  2 22:07:32 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id WAA00133
          for security-outgoing; Tue, 2 Jul 1996 22:07:32 -0700 (PDT)
Received: from naughty.monkey.org ([141.211.26.102])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA00125
          for <security@freebsd.org>; Tue, 2 Jul 1996 22:07:30 -0700 (PDT)
Received: from localhost (dugsong@localhost) by naughty.monkey.org (8.7.5/8.7.5) with SMTP id BAA04752; Wed, 3 Jul 1996 01:08:01 -0400 (EDT)
Date: Wed, 3 Jul 1996 01:08:01 -0400 (EDT)
From: Douglas Song <dugsong@monkey.org>
To: "Pedro F. Giffuni S." <pgiffuni@biblioteca.campus.unal.edu.co>
cc: security@freebsd.org
Subject: Re: Please, please...
In-Reply-To: <Pine.A32.3.91.960702230108.24908A-100000@biblioteca.campus.unal.edu.co>
Message-ID: <Pine.BSI.3.94.960703010103.4738A-100000@naughty.monkey.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Get the latest version of BIND. This will help thwart DNS spoofing
attacks, but DNS just doesn't have any real security to begin with, so
keep that in mind.

Check out the smap sendmail proxy from the TIS firewall toolkit
(ftp://ftp.tis.com/pub/firewalls/toolkit, I believe). Sendmail does NOT
need to be setuid root, and you don't want to run that beast out of inetd
anyhow. Maybe FreeBSD could take a great step forward by incorporating
smap and other security tools into the standard distribution?

Hose the s-bit off all unnecessary binaries (suidperl and the mount_*
commands come to mind ;) and consider a clean reinstall, if you haven't
been running tripwire or something like it. Best of luck...

---
Douglas Song
dugsong@monkey.org